Thursday 26 July 2012

GPO's for View


Best practice is to create a separate OU(s) for the View desktops and create GPOs for the OUs. By default, a user's policy settings come from the set of GPOs that are applied to the user object in Active Directory. However, in the View environment, GPOs should apply to users based on the computer they log in to.  We can enable loopback processing, to make the policy apply to all users that log in to a particular computer, regardless of their location in Active Directory.

To enable loopback on a GPO using the Group Policy Mgt tool on a Domain Controller and open the GPO.
  • Expand the Computer Configuration folder and then expand the Administrative Templates, System /Group Policy folders.
  • In the right pane, right-click User Group Policy loopback processing mode and select Properties.
  • On the Setting tab, select Enabled and then select a loopback processing mode from the Mode drop-down menu.

I normally choose merge as the mode but you can also use replace to completely ignore the users normal GPOs.
  • Merge - The user policy settings applied are the combination of those included in both the computer and user GPOs. Where conflicts exist, the computer GPOs take precedence.
  •  Replace - The user policy is defined entirely from the GPOs associated with the computer. Any GPOs associated with the user are ignored.


Note that after changing this the View desktop has to apply its computer policy before this takes effect. The easiest and most reliable way is to reboot the OS.

By default I would then add some settings to the User Configuration part of the GPO to disable the Shutdown/ Restart options.
  • Expand the User Configuration folder and then expand the Administrative Templates, Start Menu and Taskbar folders and change the following entries:
  • Add LogOff to the Start Menu = Enabled
  • Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands = Enabled
  • Clear the recent programs list for new users = Enabled


There are other setting in the GPO that you may want to look at to remove or lock down the desktop. (Remove Run is a popular one).
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)